Chapter 7. Authentication, Authorization, and Accounting (AAA)

This chapter covers the following topics:

• AAA protocols and services supported by Cisco ASA

• Defining an authentication server

• Authenticating administrative sessions

• Configuring authorization

• Configuring downloadable ACLs

• Configuring accounting

• Troubleshooting AAA

This chapter provides a detailed explanation of the configuration and troubleshooting of authentication, authorization, and accounting (AAA) network security services that Cisco ASA supports. AAA offers different solutions that provide access control to network devices. The following services are included within its modular architectural framework:

• Authentication— The process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates.

• Authorization— The method by which a network device assembles a set of attributes that regulates what tasks the user is authorized to perform. These attributes are measured against a user database. The results are returned to the network device to determine the user's qualifications and restrictions. This database can be located locally on Cisco ASA or it can be hosted on a RADIUS or TACACS+ server.

• Accounting— The process of gathering and sending user information to a AAA server used to track login times (when the user logged in and logged off) and the services that users access. This information can be used for billing, auditing, and reporting purposes.